Architecture & Frameworks
The foundational worldview. Transforming abstract frameworks into executable models.
Core Design Principles
Zero Trust
"Never Trust, Always Verify." Identity is the new perimeter. No implicit trust for internal networks.
Defense in Depth
Layered controls (WAF → Auth → RASP → DB Encrypt). If one fails, the others catch it.
Security by Default
Systems should be secure out-of-the-box. No "opt-in" security settings.
The "LSP" Model
A continuous loop that ensures security is not just a document, but a living system. True architecture bridges the gap between high-level policy and low-level configuration.
Governance Phase
Defining the 'Why' and 'What'. Aligning security strategy with business goals.
Key Activities
- Security Policy
- Risk Appetite
- Compliance (Laws/Regs)
- Standards Definition
Architect's Note
"Most failures in the Governance phase happen because policies are written without understanding technical feasibility."
Framework Ecosystem
Security architects often get lost in the "Alphabet Soup" of frameworks. The key is to understand the intent of each:
- SABSA (Business-Driven):Focuses on why. Maps business goals (e.g., "Enable Mobile Banking") to security attributes (e.g., "Availability", "Trust").
- TOGAF (Enterprise Arch):Focuses on what and how. Provides the standard structure for Business, Data, App, and Tech layers.
- O-ESA (The Bridge):Specifically designed to embed security into the Enterprise Architecture flow.
Financial Security Reality: TradFi vs. FinTech
Policy Architecture
Policy (The Law)
High-level statements of intent. Mandatory.
Example: "All sensitive data must be encrypted at rest."
Standard (The Spec)
Specific technologies or metrics. Mandatory.
Example: "Use AES-256-GCM for data at rest."
Procedure (The Script)
Step-by-step instructions. Operational.
Example: "Run this Terraform script to enable encryption."